Conference Papers (Selected)

A paper by Henson criticized the practice of comparing files for equality
by comparing their hash digests using a cryptographic hash function.
Our paper rebuts her criticisms on several fronts, and offers advice
for those planning on employing hash functions in this way.

A series of results are known regarding schemes in the Random-Oracle
Model which are "uninstantiable." In other words, schemes which have
proofs of security in the Random-Oracle Model but fail to be secure
when the oracle is replaced by any concrete function. A natural
question arises, are there analogous results in the Ideal-Cipher Model.

We answer this question in the affirmative, showing a blockcipher-based
hash function that is provably secure in the Ideal-Cipher Model, but
becomes trivially insecure when the Ideal Cipher is replaced by any
blockcipher.

A Study of the MD5 Attacks: Insights and Improvements
[pdf]
John Black, Martin Cochran, and Trevor Highland

MD5 is a well-known and widely-used cryptographic hash function. It has
received renewed attention from researchers subsequent to
the recent announcement of collisions found by Wang et al.
To date, however, understanding the method used by researchers in this
work has been fairly difficult to grasp.
In this paper we conduct a study of all attacks on MD5 starting from Wang.
We explain the techniques used by her team, give insights on how to
improve these techniques, and use these insights to produce an even
faster attack on MD5. Additionally, we provide an "MD5 Toolkit"
implementing these improvements that we hope will serve as an
open-source platform for further research.
Our hope is that a better understanding of these attacks will lead to
a better understanding of our current collection of hash functions,
what their strengths and weaknesses are, and where we should direct
future efforts in order to produce even stronger primitives.

A condensed version of this report appeared
in Fast Software Encryption -- FSE 2006, Graz, Austria, Mar 2006.

An Analysis of the Internet Chess Club
[pdf]
[ps.gz]
John Black, Martin Cochran, and Ryan Gardner

The Internet Chess Club (ICC) is a popular online chess server with
more than 30,000 members worldwide including various celebrities
and the best chess players in the world. Although the ICC website
assures its users that the security protocol used between client
and server provides sufficient security for sensitive information to
be transmitted (such as credit card numbers), we show this is not
true. In particular we show how a passive adversary can easily read
all communications with a trivial amount of computation, and how
an active adversary can gain virtually unlimited powers over an ICC
user. We also show simple methods for defeating the timestamping
mechanism used by ICC. For each problem we uncover, we suggest
repairs. Most of these are practical and inexpensive.

A version of this report appeared
in IEEE Security and Privacy Magazine, January 2006.
Another version appeared in the Annual Computer Security Applications
Conference--ACSAC 2005, Tucson, AZ, USA, 2005.

Fix a set of keys K. If we build an iterated hash function from any
blockcipher whose keys are restricted to K, can this hash function be
provably collision-resistant in the ideal cipher model? We answer
this question in the negative giving a general information-theoretic
attack. We also examine applications to the Tweak Chain Hash (TCH) of
Liskov, Rivest, and Wagner and show that TCH cannot be secure under
instantiations given in that paper.

Is it safe to encrypt and transmit keys? We introduce the notion of
key-dependent security and give a symmetric
scheme which satisfies the definition
and analyze this scheme in the random oracle model.

Preneel, Govaerts, and Vandewalle presented an attack-based analysis
of 64 natural ways to make a cryptographic hash function from a block
cipher. We revisit their work from a different vantage point and attempt
to prove the security of the constructions or demonstrate their insecurity.
We show that 20 of the 64 schemes are secure (ie, it is hard to find collisions
or to invert a random range point). Proofs are done in the Black-Box Model
against information-theoretic adversaries.

Following an idea of Vaudenay,
we consider side-channel attacks based on having an oracle which
indicates whether the underlying padding is done correctly or not. We
examine several popular and natural padding schemes and show that, under
CBC mode encryption, they all succumb to an attack which efficiently
recovers the plaintext. We then extend our results to other encryption
modes and other side-channels culminating in a recommendation for authenticated
encryption as the "proper" notion for symmetric encryption.

This paper seeks to generate a cipher which works on members taken from
an arbitrary finite set. We introduce three methods. The first shows
a simple way to encipher the set {0,...,k-1}: we simply encipher these
points (using a standard block cipher) and order the outputs. The
second enciphers {0,...,k-1} by using a standard block cipher to
encipher {0,...,N-1} where N is the next largest power of 2 beyond k;
if the encipherment is >= k, we iterate until it is not.
The final method uses a variant of the Luby-Rackoff construction
and is the most complicated.
The security of all methods are rigorously proven.

OCB is a new mode of operation for AES (or any block cipher) to provide
fast, parallelizable, and provably-secure encryption and
message authentication. (PMAC, listed above, provides only the latter.) For a
sketch on how OCB works, visit the
OCB Web Page.

A Suggestion on Handling Arbitrary-Length Messages with the CBC MAC
[pdf]
[ps.gz]
[ps]
John Black and Phillip Rogaway

This short document recommends the use of the XCBC construction from
CRYPTO 2000 as the CBC MAC variant of choice for
a standard AES mode of operation. It accepts any message length, has
proven security, and is patent-free.

We develop the fastest MAC yet devised. Following the Carter-Wegman
method, we develop a very fast computer-friendly hash function called NH.
NH runs fast on all computers and very fast on SIMD processors such as the
Intel Pentium or Motorola Altivec. We then build a full-fledged MAC on
top of NH, using several invocations with a Toeplitz shift to decrease
the collision rate. The security of the end-product, called UMAC,
is rigorously proven in the paper.

Following the link above will
bring you to the UMAC web page; available there are the paper, the spec,
and full source code.

Graph and Hashing Algorithms for Modern Architectures: An Experimental
Approach
[pdf]
[ps.gz]
[ps]
John Black, Charles Martel, and Hongbin Qi

We investigate the performance of various data structures on contemporary
architectures, paying particular attention to cache performance. We
examine BFS and DFS on small to medium sized random graphs, using various
tricks to enhance performance. We also investigate various collision
resolution policies for hash tables.

Journal Papers

The Impossibility of Technology-Based DRM and a Modest
Suggestion
[pdf]
John Black

This paper expresses our opinion that technology-based DRM is impossible
and what should be done about it. We start off looking at the list of
failures that technological solutions to the DRM problem have suffered from,
then discuss some of the fundamental issues. Finally, we offer the suggestion
that the content providers should perhaps start a media campaign rather than
to try and pursue the issue through the courts. This paper is an outgrowth
of my panel comments at the Silicon Flatirons Technology conference in 2003.

Appeared in Journal on Telecommunications and High Technology Law,
Volume 3, Issue 2, 2005.

This paper starts with the basic CBC MAC. We first give a simpler proof for a
variant called EMAC by treating it as an instance of the Carter-Wegman
paradigm. We then extend the domain of EMAC (which requires
all inputs be a multiple of the block length) to accept any message length,
calling this method ECBC. We then incrementally improve ECBC to increase
its performance (yielding FCBC and XCBC). The security of each construction
is carefully analyzed.

Appeared in the Journal of Cryptology, Volume 18, Number 2, pp 111-132.

We describe a parallelizable mode of operation for authenticity and
privacy. OCB is aggressively optimized to a minimum of block-cipher
calls, cheap offset calculations which are fast on virtually any
computing platform, only one block-cipher key, and it requires only
a nonce for initialization (as opposed to a random IV). More info
can be found on the
OCB Webpage.

Appeared in ACM Transactions on Information and System Security (TISSEC), Volume 6, Issue 3, August, 2003.

A survey of the methods for achieving authentication and encryption in the
private-key setting. Includes generic composition as well as the several
recently-invented methods that provide better efficiency.

My Thesis

A gentle introduction to Message Authentication Codes (MACs).
Examples, attacks, lots of formalism. Special emphasis on the
Carter-Wegman style of MAC. Includes pieces of the UMAC and
Three-Key papers, including some material not published anywhere
else.